OS monitor

ABSTRACT

An in-vehicle communication network comprising a bus and at least one node connected to the bus; an in-vehicle network operating system (OS) that manages OS processes, to enable a processor to run the processes and execute their respective process codes; and a module hosted in the OS that is configured to monitor the OS and vet a process that the OS enables for running by a processor to determine if the process is potentially damaging.

RELATED APPLICATIONS

This application is a continuation of co-pending U.S. application Ser.No. 14/590,042 filed on Jan. 6, 2015, which claims benefit under 35U.S.C. 119(e) of U.S. Provisional Applications 61/923,790 filed Jan. 6,2014; and 61/927,515 filed Jan. 15, 2014; and 62/038,859 filed Aug. 19,2014; and 62/038,856 filed Aug. 19, 2014 the disclosures of which areincorporated herein by reference.

FIELD

Embodiments of the disclosure relate to providing cyber security forin-vehicle communication networks.

BACKGROUND

Over the last half century the automotive industry has, initiallyslowly, and subsequently with great rapidity, been evolving frommechanical control systems for controlling a vehicle's functions toelectronic “drive by wire” control systems for controlling thefunctions. In mechanical vehicular control systems a driver of a vehiclecontrols components of a vehicle that control vehicle functions byoperating mechanical systems that directly couple the driver to thecomponents via mechanical linkages. In drive by wire vehicle controlsystems a driver may be coupled directly, and/or very often indirectly,to vehicle control components that control vehicle functions byelectronic control systems and electronic wire and/or wirelesscommunication channels, rather than direct mechanical linkages. Thedriver controls the control components by generating electronic signalsthat are input to the electronic control systems and the communicationchannels.

Typically, a vehicular electronic control system comprises a userinterface for receiving driver actions intended to control a vehiclefunction, transducers that convert the actions to electronic controlsignals, and a plurality of sensors and/or actuators that generatesignals relevant to the function. An electronic control unit (ECU) ofthe control system receives the user generated signals and the signalsgenerated by the sensors and/or actuators, and responsive to thesignals, operates to control a vehicle component involved in performingthe function. The ECU of a given control system may also receive andprocess signals relevant to performance of the function generated by,and/or by components in, other vehicle control systems. The sensors,actuators, and/or other control systems communicate with each other andthe ECU of the given control system via a shared in-vehiclecommunication network, to cooperate in carrying out the function of thegiven control system.

By way of example, a vehicle throttle by wire control system thatreplaces a conventional cable between an accelerator pedal and an enginethrottle may comprise an electronic accelerator pedal, an ECU alsoreferred to as an engine control module (ECM), and an electronicthrottle valve that controls airflow into the engine and thereby powerthat the engine produces. The electronic accelerator pedal generateselectronic signals responsive to positions to which a driver depressesthe pedal. The ECM receives the accelerator pedal signals, and inaddition electronic signals that may be generated by other sensors,actuators, and electronic control systems in the vehicle that provideinformation relevant to the safe and efficient control of the engine viaan in-vehicle communication network. The ECM processes the driver inputsignals and the other relevant signals to generate electronic controlsignals that control the throttle. Among the other sensors actuators,and electronic control systems that may provide relevant signals to theECM over the in-vehicle network are, air-flow sensors, throttle positionsensors, fuel injection sensors, engine speed sensors, vehicle speedsensors, brake force and other traction control sensors comprised in abrake by wire system, and cruise control sensors.

In-vehicle communication networks of modern vehicles are typicallyrequired to support communications for a relatively large and increasingnumber of electronic control systems of varying degrees of criticalityto the safe and efficient operation of the vehicles. A modern vehiclemay for example be home to as many as seventy or more control systemECUs that communicate with each other and sensors and actuators thatmonitor and control vehicle functions via the in-vehicle network. TheECU's may, by way of example, be used to control in addition to enginethrottle described above, power steering, transmission, antilock braking(ABS), airbag deployment, cruise control, power windows, doors, andmirror adjustment. In addition, an in-vehicle network typically supportson board diagnostic (OBD) systems and communication ports, variousvehicle status warning systems, collision avoidance systems, audio andvisual information and entertainment (infotainment) systems andprocessing of images acquired by on-board camera systems. The in-vehiclenetwork in general also provides access to mobile communicationnetworks, WiFi and Bluetooth communications, TPMS (tire pressure monitorsystem) V2X (vehicle to vehicle communication), keyless entry system,the Internet, and GPS (global positioning system).

Various communication protocols have been developed to configure,manage, and control communications of vehicle components that areconnected to and communicate over an in-vehicle communication network.Popular in-vehicle network communication protocols currently availableare CAN (control area network), FlexRay, MOST (Media Oriented SystemsTransport), Ethernet, and LIN (local interconnect network). Theprotocols may define a communication bus and how the ECUs, sensors, andactuators, generically referred to as nodes, connected to thecommunication bus, access and use the bus to transmit signals to eachother.

The growing multiplicity of electronic control systems, sensors,actuators, ECUs and communication interfaces and ports, that anin-vehicle communication network supports makes the in-vehiclecommunication network, and the vehicle components that communicate viathe communication system, increasingly vulnerable to cyber attacks thatmay dangerously compromise vehicle safety and performance.

SUMMARY

An aspect of an embodiment of the disclosure relates to providing asystem, hereinafter also referred to as a global automotive securitysystem (GASS), which operates to provide security to in-vehiclecommunication systems against cyber attacks for vehicles subscribed toGASS in a relatively extended geographical area. In an embodiment of thedisclosure, GASS comprises a data monitoring and processing hub,hereinafter also referred to as a Cyber-Hub, and a module installed in asubscriber vehicle that communicates with the Cyber-Hub. The module maybe referred to as a Cyber-Watchman or Watchman.

The Cyber-Watchman installed in a subscriber vehicle monitorscommunication traffic over at least a portion of an in-vehiclecommunication network of the vehicle to identify anomalies in thecommunication traffic that may indicate a disturbance in the normaloperation of the network or vehicle. The disturbance may by way ofexample comprise a malfunction of any of the various components, thatis, nodes, in the vehicle connected to the in-vehicle communicationnetwork and/or occurrence and/or consequence of a cyber attack on thecommunication network. In response to identifying an anomaly incommunications over the in-vehicle communication network, theCyber-Watchman may undertake any, or any combination of more than one,of various actions to report, mitigate, and/or control the anomaly.

In an embodiment, the Cyber-Watchman operates to transmit data,hereinafter also referred to as “Watchman data”, to the Cyber-Hubresponsive to communications traffic over the in-vehicle communicationsnetwork that the Watchman monitors. The Cyber-Hub may process Watchmandata from a subscriber vehicle to provide information for configuringthe Watchman's monitoring of, and/or responding to detected anomaliesin, communications over the vehicle's in-vehicle network. The Cyber-Hub,or a user, such a GASS agent or subscriber authorized to receive theinformation from the Cyber-Hub, may use the information to configure theWatchman.

In an embodiment of the disclosure, the Cyber-Hub processes Watchmandata from a plurality of subscriber vehicles to determine if a vehicleor a fleet of vehicles may be under threat of an imminent cyber attack,is under a cyber attack, or has vulnerability to a cyber attack. Inresponse to detecting an imminent, on-going, or vulnerability to, cyberattack, the Cyber-Hub may alert a GASS user to configure the Watchman orWatchmen of a subscriber vehicle or subscriber vehicles to engage theattack. Alternatively or additionally the Cyber-Hub may configure theWatchman or Watchmen directly by transmitting information to theWatchman or Watchmen over a suitable wire or wireless communicationchannel.

Optionally, the Cyber-Hub processes Watchman data from a plurality ofWatchmen to generate measures of vehicle “health” for subscribervehicles. The Cyber-Hub or a Watchman of a subscriber vehicle may usethe measures of vehicle health to detect and anticipate mechanicaland/or electronic malfunction of components and/or systems that thesubscriber vehicle comprises. Optionally, the Watchman generates alarmsto notify a driver of the vehicle, the Cyber-Hub, and/or a GASS agent orsubscriber, that a vehicle malfunction is detected or anticipated. In anembodiment of the disclosure the Watchman may be configured toautomatically invoke remedial measures to deal with the detected oranticipated malfunction.

By processing Watchman data from a plurality of Watchmen, the Cyber-Hubmay benefit from improved statistics in providing measures andmaintenance of vehicle health, and detecting vulnerability or exposureto Cyber attacks and providing early warnings and procedures for dealingwith of such attacks.

In an embodiment, a Cyber-Watchman is a rule based module that operatesin accordance with a set of rules to identify and classify messagestransmitted over a subscriber vehicle's in-vehicle network and todetermine what, if any, action or actions to undertake with respect toan identified message. The set of rules may autonomously determine howto process an identified message responsive to an operating context ofthe vehicle during which the message is transmitted over the in-vehiclenetwork. The context may comprise an operating state of the vehicleand/or circumstances under which the vehicle is operating. An operatingstate of a vehicle may by way of example, comprise, vehicle speed, tirepressure, ambient temperature, vehicle load, and state of health.Circumstances under which the vehicle is operating may, by way ofexample, comprise road grade and/or traction, ambient temperature and/orhumidity, and/or season. The operating context may comprise commonoperating state to which the Watchman is alerted by the Cyber-Hub. Acommon operating state is a state common to a plurality of subscribervehicles at substantially a same time. A common operating state may bedetected and defined by the Cyber-Hub from Watchman data transmitted tothe Cyber-Hub by the Watchmen of the plurality of vehicles. A commonoperating state may for example, be defined as a state in which atsubstantially a same time the plurality of subscriber vehicles issubject to a same cyber attack, or subject to a same probability offailure of a vehicle control system or component. In an embodiment, theCyber-Hub may configure the rule set of a Watchman in real time toengage and confront a possibly damaging common operating state.

This Summary is provided to introduce a selection of concepts in asimplified form that are further described below in the DetailedDescription. This Summary is not intended to identify key features oressential features of the claimed subject matter, nor is it intended tobe used to limit the scope of the claimed subject matter

BRIEF DESCRIPTION OF FIGURES

Non-limiting examples of embodiments of the disclosure are describedbelow with reference to figures attached hereto that are listedfollowing this paragraph. Identical features that appear in more thanone figure are generally labeled with a same label in all the figures inwhich they appear. A label labeling an icon representing a given featureof an embodiment of the disclosure in a figure may be used to referencethe given feature. Dimensions of features shown in the figures arechosen for convenience and clarity of presentation and are notnecessarily shown to scale.

FIG. 1A schematically shows a GASS system for providing cyber securityto a plurality of vehicles subscribed to GASS, in accordance with anembodiment of the disclosure;

FIG. 1B shows a schematic block diagram of a portion of an in-vehiclecommunication system of a subscriber vehicle protected by GASS Watchmen,in accordance with an embodiment of the disclosure;

FIG. 2A shows a schematic block diagram of a Watchman, in accordancewith an embodiment of the disclosure;

FIG. 2B shows a flow diagram of an algorithm that the Watchman shown inFIG. 2A executes in response to a message that the Watchman receivesfrom the in-vehicle network to which the Watchman is connected, inaccordance with an embodiment of the disclosure;

FIG. 2C shows a flow diagram of an algorithm that a Watchman executes toprotect a bus of the in-vehicle communication network shown in FIG. 1B,in accordance with an embodiment of the disclosure;

DETAILED DESCRIPTION

FIG. 1A schematically shows a GASS 20 that provides cyber securityservices to vehicles 30 operating in an extended geographical region 32in accordance with an embodiment of the disclosure. The extendedgeographical region may, comprise a region of a country such as a regioncovered by an infrastructure facility such as a power grid, a mobilecommunication network or a plurality of such networks, a metropolis, astate, and/or a region in which a given fleet of vehicles operates.Optionally, the extended geographical region is global, extending overportions of a continent or continents comprising more than one state. InFIG. 1A GASS 20 is shown by way of example operating to provide cybersecurity to in-vehicle communication networks of vehicles 30 in thecontinental US.

GASS 20 optionally comprises a cloud based CyberHub 22 and Watchmen 40installed in subscriber vehicles 30 to monitor and protect theirrespective in-vehicle communication networks. An enlarged image of asubscriber vehicle 30 comprising an in-vehicle network 60 to which aplurality of optionally two GASS Watchmen 40 are connected in accordancewith an embodiment of the disclosure is schematically shown in an inset31. Watchmen 40, monitor communications traffic over portions of network60 to which they are connected and perform procedures and undertakeactions to provide and maintain integrity of the network against cyberattacks. In-vehicle communication network 60 is optionally a CAN networkcomprising a high-speed CAN bus 61 and a medium-speed CAN bus 71 towhich various components of vehicle 30 are connected as nodes. AWatchman 40, in accordance with an embodiment of the disclosure, isconnected to high-speed CAN bus 61 and to medium-speed CAN bus 71. Datais transmitted between nodes connected to buses 61 and 71 in CAN frames,which may be referred to as CAN packets, or CAN messages.

FIG. 1B shows a schematic block diagram of a portion of in-vehiclecommunication network 60 showing Watchmen 40 that protect the networkand specific control systems as may be comprised in a subscriber vehicle30. The control systems and/or their respective components are connectedto high-speed and medium-speed bus bars 61 and 71. medium-speed CAN bus71 may be a class B CAN bus that operates at data transmission speeds ofup to 125 kilobits per second (Kbps), to support communications betweennodes, such as components of vehicle body control systems andinfotainment systems that can function properly receiving andtransmitting data at relatively low data transmission rates. By way ofexample, medium-speed CAN bus 71 is schematically shown connected tonodes that are headlight, instrument display, environment control, doorcontrol, and rear light systems 72, 73, 74, 75, and 76 respectively. Aninfotainment system 79 comprising Bluetooth and Wifi communicationinterfaces and a Telematics system 78 that provides a communicationinterface to mobile phone networks and supports hands free calling areconnected to medium-speed CAN bus 71 via a Watchman discussed below. AGPS receiver 77 is optionally separate from Telematics system 78, and isconnected to medium-speed CAN bus 71. High-speed CAN bus 61 may be aclass C CAN bus that operates at data transmission speeds of up to 1megabits per second to support communications between nodes such assensors and ECUs of various control systems that may require relativelyhigh-speed transmission of data between the nodes to operate properly.High-speed CAN bus 61 is schematically shown connected to engine,suspension, traction, gearbox, and braking control systems 62, 63, 64,65, and 66 respectively. High-speed CAN bus 61 is connected by a bodycontrol system gateway 80 to medium-speed CAN bus 71.

In-vehicle network 60 is protected by a configuration of a plurality of,optionally four, Watchmen 40, individualized by labels 40A, 40B, 40C,and 40D. Watchmen connected to network 60 are referenced generically bythe numerical reference 40 and by the individualized labels 40A, 40B,40C and 40D with respect to features associated with a particularWatchman. Watchman 40A is optionally a two communication port moduleconnected between high-speed bus 61 and gateway 80 that connects thehigh-speed bus to medium-speed bus 71. Watchman 40B is optionally asingle communication port module connected to high-speed bus 61.Infotainment system 79 and Telematics system 78 are connected viaWatchman 40C, to medium-speed bus 71 and GPS receiver 77 is optionallyconnected via Watchman 40D to medium-speed bus 71. Watchman 40A operatesin accordance with an embodiment of the disclosure to monitor CANmessages that are transmitted between high-speed bus 61 and gateway 80and to respond to anomalous communications to protect communicationsbetween the CAN bus and the gateway. Watchman 40B is connected tohigh-speed CAN bus 61 to eavesdrop on communications over the high-speedbus and protect communications propagated over the bus. Watchman 40C and40D operate to protect medium-speed CAN bus 71 from Cyber attacks thatattempt to enter in-vehicle communication system 60 via its Bluetooth,WiFi, and mobile telephone communication interfaces. Watchmen inaccordance with an embodiment of the disclosure are not limited to anumber of communication ports shown in FIG. 1A and may have a number ofcommunication ports different from the numbers shown in FIG. 1A.

Whereas in FIGS. 1A and 1B Watchmen 40 are schematically shown asseparate components that appear to be hardware components, a Watchman inaccordance with an embodiment of the disclosure may be a “virtualizedWatchman” defined by a software component comprised in a node ofin-vehicle communication network 60. For example, gateway 80 maycomprise computer executable instructions and data, or a combination ofsoftware and hardware that provide Watchman functionalities inaccordance with an embodiment of the disclosure that may be provided byWatchman 40A, shown separate from the gateway in FIG. 1B. Or an ECM (notshown) in engine control system 62 may comprise computer executableinstructions and data that provide Watchman functionalities inaccordance with an embodiment of the disclosure that may be provided byWatchman 40A, or Watchman 40B. A Watchman may also be integrated to thehardware of a node, such as telematics unit 78, of in-vehiclecommunication network 60, between the CAN transceiver and the CANcontroller of the node.

A Watchman 40, such as Watchman 40A, 40B, 40C, or 40D in accordance withan embodiment of the disclosure, may operate in a mode or modesselectable from a library of operating modes. Each operating mode in thelibrary may evoke an optionally different operating algorithm orprocedure that the Watchman may execute to process and/or to respond tomessages transmitted over a portion of in-vehicle network 60 that theWatchman monitors. The library of operating modes comprises at least oneof, or any combination of more than one of: a passive mode, a recordingmode, a communication mode, a standard protection mode (SPM), adetective mode, a programming mode, and/or an override mode.

A Watchman 40 may be set to a given operating mode by manually operatinga dip switch that the Watchman may have, and/or by transmitting acontrol message to the Watchman via a wire or wireless communicationchannel that instructs the Watchman to assume a particular operatingmode. A Watchman 40 may autonomously switch between different operatingmodes when an instruction that the Watchman executes during operation ina first operating mode switches the Watchman to a second operating modeto execute an instruction in the second operating mode. Differentoperating modes may also provide or share same or similarfunctionalities and a Watchman may simultaneously be operating in morethan one operating mode.

In the passive mode a Watchman 40 does not interfere with thepropagation of messages in in-vehicle network 60 that the Watchman mayreceive, and the Watchmen may substantially be transparent tocommunications over the in-vehicle network. Watchmen 40 may by way ofexample advantageously be set to the passive mode for example, duringinstallation of new components and/or sensors to vehicle 30 andconnection of the components and/or sensors as nodes to in-vehiclecommunication network 60. The Watchmen may also advantageously be set topassive for example when connecting a diagnostic console (not shown) toan On Board Diagnostics (OBD) port (not shown) in vehicle 30 to connectthe diagnostic console to in-vehicle communication network 60 and querythe vehicle's self diagnostic and reporting functionalities forinformation regarding systems connected to the network. A Watchman mayalso be configured to automatically set itself to a passive mode when itencounters a critical internal error, as a failsafe mechanism.

Setting Watchmen 40 in vehicle 30 to the passive mode suspendsprotective activity by the Watchmen. Attempting to set Watchmen 40 topassive by transmitting control messages to the Watchmen, may therefore,in accordance with an embodiment of the disclosure, be allowed onlyafter the control messages have been authenticated as originating froman authorized source and vetted for form and for being appropriate for astate of vehicle 30 and its in-vehicle communication network 60 at atime when the control messages are received. For example, an attempt toset Watchmen 40 to passive may be denied if vehicle 30 is in motion, orif the attempt originates from a source other than GASS 20, anauthorized user of GASS or a driver of the vehicle. Authenticating andvetting messages received by Watchmen 40 are discussed below.

In the recording mode, a Watchman 40 monitors communications inin-vehicle communication network 60 of subscriber vehicle 30 toaccumulate data from messages that it receives which may be used tocharacterize the messages, determine a vehicle context of the messages,and/or determine a measure of health of the vehicle. CAN messages may becharacterized for example, by their 11 bit, or 29 bit extended,arbitration ID, which of the generally four types of conventional CANmessages they are, their respective frequency of transmission, an amountand type and contents of data they include, a time stamp recording atime at which they are transmitted, and a vehicle context at a time ofthe time stamp. A CAN message arbitration ID may hereinafter be referredto as a CAN message ID or message ID.

Vehicle context for a subscriber vehicle 30 refers to a state of thevehicle and/or a state of the vehicle's in-vehicle communication network60. State of vehicle 30 may be defined responsive to a value for each ofat least one parameter, which one or more than one sensor in the vehicleprovides for example in a data portion of a CAN message that ittransmits. The at least one parameter may for example, comprise one, orany combination of more than one of, vehicle speed, acceleration,closing speed to a leading or trailing vehicle, engine rpm, enginetemperature, oil pressure, hydraulic pressure, wheel traction, roadcondition, vehicle location optionally provided by a GPS signal, and/orweather condition. State of in-vehicle network 60, may by way ofexample, be defined responsive to baud rate, which types of messages arebeing transmitted over the network, and/or which nodes in in-vehiclecommunication network 60 are actively communicating over the network.State of in-vehicle communication network may also comprise a state orcontents of a communication session of which the CAN message is a part.State of in-vehicle network 60 may be defined responsive to a value fora derived parameter, hereinafter also referred to as a cyber-stateindicator (CSI), which indicates whether or not, and/or to what degree,in-vehicle network 60 may be compromised by a cyber attack. CSI may bedetermined by Watchman 40 responsive to messages transmitted over thein-vehicle network that the Watchman monitors and/or by Cyber-Hub 22responsive to data that the Cyber-Hub receives from the Watchman and/orfrom a Watchman 40 or Watchmen 40 monitoring other in-vehicle networks.

A Watchman 40 may generate and store in a memory comprised in theWatchman a context feature vector that defines and represents thevehicle context. The context feature vector may comprise components thatinclude a time stamp, values of the at least one parameter provided bythe one or more sensors in the vehicle, and/or values for parametersdescribing the state of in-vehicle network 60. The context featurevector may also include ID data for vehicle 30 such as make and year ofthe vehicle, an Odometer reading and optionally a CSI value at a time ofthe feature vector time stamp. A context feature vector in accordancewith an embodiment of the disclosure may comprise values of a histogram.For example, a context feature vector may comprise components that arevalues of a histogram, also referred to as a message frequencyhistogram, that provides a frequency or relative frequency oftransmission over in-vehicle network 60 for each of a plurality ofdifferent CAN message IDs, or different subsets or types of CANmessages. Optionally, the context feature vector may comprise severaldifferent histograms, one for each subset of messages. A message subsetmay comprise messages transmitted to or from a selection of differentnodes connected to in-vehicle network 60. The selected nodes may forexample comprise engine, suspension, gearbox, and door control systems62, 63, 65, and 75. A message subset make comprise messages havingparticular instructions or portions thereof, such as instructions forincreasing engine air or fuel intake, or generating proximity alarmsresponsive to signals from proximity sensors. Optionally, in order toprotect the Watchman against an attack that may try to cause theWatchman to use up all its available memory by sending a sequence of CANmessages with different message IDs, the memory used by the histogrammay be limited and pre-allocated. Optionally, if the Watchman runs outof available memory for the histogram, it may free up memory bydiscarding old histogram data.

A measure of health of a vehicle 30 may be characterized or determinedresponsive to data in CAN messages transmitted over in-vehicle network60 by sensors, actuators, and/or ECUs in the vehicle under differentoperating conditions of the vehicle that Watchmen 40 receive. Forexample, engine temperature and fuel consumption as a function of speed,or oxygen content in engine exhaust as a function of engine speedprovided in massages transmitted by components of an vehicle enginecontrol system of vehicle 30 may be used to provide a measure of healthof the engine. Messages provided by a vibration monitor that providedata representing frequency or amplitude of vibration of a bodycomponent as a function of vehicle speed may be used to determine ameasure of vehicle health.

Watchman 40 may generate and store in a Watchman memory a health featurevector for vehicle 30 that provides a measure of the vehicle's healthresponsive to messages that the Watchman monitors. Similar to thevehicle context feature vector, the vehicle health feature vector mayinclude vehicle ID data and a CSI value.

Data acquired by a Watchman 40 when operating in the recording mode,such as data characterizing CAN messages propagated over in-vehiclecommunication network 60, data comprised in vehicle context and healthfeature vectors, may advantageously be processed for use by the Watchmanwhen operating in operating modes other than in the recording mode. Forexample, as described below, Watchman data acquired by the Watchman maybe used by the Watchman in determining how to respond to messages itreceives when operating in the SPM mode or, in the programming mode, toconfigure the Watchman for operation in, for example, the SPM mode. Anddata associated by the Watchman with a CSI value indicating that thedata was acquired free of Cyber damage contamination may be processed tocharacterize and/or establish criteria for normative communicationsbetween nodes of in-vehicle communication network 60.

For example, data comprising message IDs and features characterizing CANmessages propagated over in-vehicle communication network 60 that areassociated with a CSI value indicating that are free of cyber damage maybe used to provide a “white list” of CAN messages. In an embodiment, thewhite list comprises message IDs of CAN messages propagated during aperiod or periods during which in-vehicle communication network 60 wasfree of damage from cyber attack and optionally “cyber clean” datacharacterizing their respective propagation during the period orperiods. The cyber clean data for a given white listed CAN message IDmay comprise data characterizing relative frequency of transmission ofthe given CAN message and optionally message contexts of the messagethat reference other CAN messages with which transmission of the givenCAN message is associated. Optionally, cyber clean data for the givenwhite listed CAN message is provided as a function of vehicle context.

A “white list” of messages, optionally with their corresponding featuresand contexts may also be created by referencing vehicle manufacturer CANspecifications which define CAN messages that the manufacturer'svehicles use to control the vehicles, vehicle accessories and/oradd-ons. Optionally, a vehicle manufacturer's catalogue of CAN messagesis automatically translated to provide a white list of CAN messages in aformat useable by Watchman. A graphical user interface (GUI) of anin-vehicle network used in the manufacturer's vehicles, and amounts andtypes of communication traffic anticipated between nodes in the networkmay be used to aid a person to manually translate a manufacture CANcatalogue of CAN messages to a white list in Watchman format.

In an embodiment, a Watchman 40 receiving a white listed CAN messagedoes not interfere with its normal propagation over in-vehicle network60. Optionally, non-interference is predicated upon the white listed CANmessage being received in association with the “white list” contextsthat that may be referenced for the CAN message in the white list.

Similarly, CAN messages that are determined responsive to data acquiredduring a recording mode of Watchman 40 to be malware, to be associatedwith malware, and/or to be compromised by a cyber attack, and theirrespective characterizing features and contexts may be listed in a“black list”. In an embodiment, a black-listed CAN message received byWatchman 40, optionally in association with its corresponding blacklisted features and contexts, may be blocked by the Watchman fromfurther propagation over in-vehicle network 60. CAN messages and theirrespective features and contexts may also be manually classified andadded to a “black list” by cyber security analysts, optionally using asuitable GUI of known recorded cyber attacks.

It is noted that whereas acquisition of data with respect tocommunications over in-vehicle communication network 60 has beendiscussed for Watchman 40 operating in the recording mode, Watchman 60may acquire and store data relevant to communications over in-vehiclenetwork 60 during other operating modes of the Watchman. For example,data acquired by Watchman 40 when operating in the SPM, protective, modeduring which the Watchman regularly vets CAN messages to determine ifthey should be allowed to propagate over in-vehicle network 60 may beused to white list or black list CAN messages. CAN messages thatWatchman 40 encounters during operation in the SPM mode or the recordingmode that have not been classified, and/or may not readily classified aswhite list or black list, possibly because for example, they have notbeen encountered before or are infrequently encountered, may be graylisted. Watchman 40 may allow gray listed CAN messages only limitedaccess to in-vehicle communication system 60. For example, Watchman 40may limit a frequency of transmission over the in-vehicle network. Canmessages may be gray listed by Watchman 40 during any of its operatingmodes.

It is further noted that Watchman 40, in accordance with an embodimentof the disclosure may in addition to recording data relevant to CANmessages, vehicle context, and/or health, during operation in therecording mode or another operating mode, may also keep a log of datarelevant to its own performance and operation for analysis. For example,Watchman performance data may be used to determine how frequently theWatchman generated false positives or false negatives in identifyingmessages as malware. And, Watchman performance data may be used todetermine how frequently the Watchman has received remote commands orupdates with non-valid digital signatures that may be an indication fora cyber-attack.

Processing data provided by a Watchman 40 may be performed by theWatchman, or by Cyber-Hub 22 or an authorized user of GASS 20 subsequentto the Watchman conveying the data to the Cyber-Hub or authorized GASSuser. Watchman 40 may convey data to an entity in accordance withexecution of an instruction of the recording mode or during operation inthe communication mode. Cyber-Hub 22 may aggregate data from a pluralityof different Watchmen in a fleet to create high level conclusionsregarding cyber and operational health of the fleet. Cyber-Hub 22 mayalso aggregate data between different fleets. The Cyber-Hub may providea user interface that displays high level information regarding thecyber health of the fleet and raw data that may be used by cyberanalysts to understand the high level information. For example the userinterface may display a number of anomalies and/or blocked cyber attacksand/or vehicle malfunctions detected in a specified timeframe and/orgeographical area in a format of a heat map. Optionally, the Cyber-Hubmay keep track of which Watchmen have not communicated with it for morethan a specified period of time and other cyber and operational relatedmeasurements and may provide this information to its users via asuitable user interface. The Cyber-Hub may optionally issue live alertsto subscribers to GASS 20 regarding critical events.

In the communication mode Watchman 40 may convey data that it hasacquired and/or processed to Cyber-Hub 22 and/or to a diagnostic console(not shown) via suitable wire and/or wireless communication channels.Watchman 40 may be configured or controlled to periodically switch tothe communication mode and upload data or a portion of data, such as amessage frequency histogram, it acquires during operation in therecording mode or in another operating mode, to Cyber-Hub 22. Watchman40 may be accessed to switch to the operating mode and requested toconvey data that it acquires to a diagnostic console connected to an OBDport in vehicle 30, or to a mobile communication device such as asmartphone, laptop, or tablet, via a wireless channel. In an embodiment,Watchman 40 may switch to the communication mode and provide therequested data optionally encrypted and only after authenticating thatthe request is made by an entity authorized so receive the data. In anembodiment, Watchman 40 may autonomously switch to the communicationmode for example to request information from or to transmit informationto Cyber-Hub 22. Information that the Watchman may request may beinformation regarding updates to the Watchman set of rules and/orinstructions for responding to CAN messages during Watchman operation inthe SPM mode.

In order to efficiently utilize available bandwidth, a Watchman 40 mayoptionally send the information it has acquired to Cyber-Hub 22 onlyafter Cyber-Hub 22 has given it permission to upload the information,based on a short description of the information provided the Cyber-Hubby the Watchman. For example if an entire fleet of vehicles is under acyber-attack at the same time and all the Watchmen in the fleet attemptto report the cyber-attack to Cyber-Hub 22, the Cyber-Hub 22 may chooseto prevent saturation of bandwidth by receiving relevant data from arelatively small number of the vehicles under attack. Optionally,additional savings in bandwidth may be applied by compressing the datasent to Cyber-Hub 22. For example message frequency histograms that avehicle 30 acquires may be stored in a relatively compact form, using 1byte for a number of occurrences for each message ID. In order to avoidoverflow, the value of the count per message ID may periodically bedivided by for example 2, thus making the histogram a local frequencyhistogram. Optionally, the histogram may keep its extreme values by notallowing the division to change the MSB (most significant bit) and LSB(least significant bit) bits in the count, should they be 1.

It is noted that an in-vehicle communication network, such as in-vehiclenetwork 60 schematically shown in FIGS. 1A and 1B, may be connected to aplurality of Watchman 40, each optionally monitoring a different portionof the network. Optionally, an in-vehicle communication networkconnected to a plurality of Watchman 40, may have a Watchman 40, a“Super-Watchman” that operates as a communication hub or router for theother Watchmen. The Super-Watchman may for example, aggregate dataacquired by other Watchman connected to the network to convey the datato Cyber-Hub 22 or an authorized user of GASS 20. The Super-Watchman mayalso operate to receive communications from the Cyber-Hub or authorizedentities outside of the in-vehicle communication network intended forother Watchmen connected to the in-vehicle communication network androute the communications to the intended Watchmen. In an embodiment, aplurality of Watchmen connected to a same in-vehicle communicationnetwork may communicate via buses in the network or be configured as awireless local network to communicate with each other.

In the SPM mode, Watchman 40 invokes an operating algorithm thatcomprises a menu of response actions that may be undertaken by theWatchman in response to messages propagated over in-vehicle network 60,and a set of rules, hereinafter also referred to as matching rules, thatthe Watchman uses to match the messages with at least one responseaction in the menu. A matching rule is an instruction for inspecting atleast a portion of a message, to determine a feature of the message thatmay be used as, or in establishing, a criterion for determining whichresponse action should be matched to the message and undertaken byWatchman 40 in response to receiving the message. A specific set ofmatching rules may be defined in a configuration of the Watchman and maybe represented in memory as a variant of a decision tree data structurein which nodes may represent a specific condition and/or action. Theconfiguration may determine a layout, type and specific parameters ofthe rules along with appropriate actions for routes in the tree.

Response actions in the menu that may be undertaken in response to agiven message that Watchman 40 receives, may by way of example comprise:allowing the message, blocking the message, delaying the message;limiting the frequency of the message, logging the message into a memorycomprised in the Watchman; changing a state feature vector representinga state of the vehicle; and/or raising an alert responsive to themessage.

Matching rules for determining response to a CAN message may, by way ofexample, comprise: inspect the arbitration portion of the message todetermine a message ID; determine if the message is one of the fourconventional CAN message types and which type it is; determine a sourceport in the Watchman of the message; determine if data content in themessage is data that is valid for features that characterize thevehicle, such as by way of example, make, model, and mechanicalcondition of the vehicle; determine a transmission frequency for themessage; determine a vehicle context for the message. The rules may usecomplex logic that incorporates several sub conditions using logicoperators such as AND, OR, NOT and masking methods to inspect only partsof the data of a CAN message. For example, a Watchman 40 may enforce aminimum period of time that must pass between seeing a message having aparticular message ID and allowing the message to appear again onpossibly another port of the Watchman, to prevent a cyber attacker fromlistening to communication traffic on the bus, waiting for a givenlegitimate message to be sent on the bus and soon thereafter sendanother similar ID′d message with malicious content, in order tooverride the given legitimate message.

FIG. 2A schematically shows components of a Watchman 40, for exampleWatchman 40A connected to in-vehicle communication network 60 thatsupport operation of the Watchman in the SPM and other operating modesof the Watchman, in accordance with an embodiment of the disclosure.

Watchman 40A optionally comprises a processor 41 and optionally twocommunication ports 42 and 52 for transmitting messages to and receivingmessages from a CAN bus or a CAN node to which the Watchman isconnected. For example, in FIG. 1B communication port 42 of Watchman 40Ais connected to high-speed bus 61 and port 52 of the Watchman isconnected to CAN gateway 80. Port 42 is connected to processor 41 by aCAN transceiver 43 and a CAN controller 44. Transceiver 43 converts bitsin a CAN message, which are serially received from high-speed bus 61 atport 42, from a CAN format to a format used by Watchman 40A and forwardsthe bits to CAN controller 44. The CAN controller stores the bits untilall the bits in the CAN message to which the bits belong are received,and the complete message is assembled. CAN controller 44 forwards theassembled message to processor 41 for processing in accordance with anembodiment of the disclosure. CAN controller 44 also receives bitsgenerated by processor 41 for transmission from Watchman 40A tohigh-speed CAN bus 61 in a CAN message, and forwards the bits totransceiver 43 for conversion from a Watchman format in which the bitsare generated to a CAN format. Transceiver 43 forwards the bits in theCAN format for transmission to CAN bus 61 via port 42. Similarly to port42, port 52 is connected to processor 41 by a transceiver 53 andcontroller 54 and operates for transmitting CAN messages to and from CANgateway 80.

Processor 41 processes a message it receives via port 42 or port 52 inaccordance with computer executable instructions for executing matchingrules, white and black lists of CAN messages, and response actions,optionally stored in a memory 45, and optionally in accordance with avehicle context during which the message is received. The vehiclecontext may be determined by Watchman 40A responsive to data comprisedin messages that Watchman 4A receives and optionally uses to define acontext feature vector, which the Watchman stores as data in a memory46. Memory 45 and/or memory 46 may include primary and/or secondarymemory used by Watchman 40 and whereas memories 45 and 46 areschematically shown as separate units the memories may be comprised in asame unit.

Watchman 40A optionally comprises an authentication module 47 forauthenticating messages the Watchman receives and a wirelesscommunication interface 48 for communicating with Cyber-Hub 22,authorized users, drivers of subscriber vehicles, and other externalentities via a wireless communication channel. Wireless interface 48 mayprovide connectivity to a WiFi, and/or a Bluetooth channel and/or amobile phone network such as a 3G network. In the absence of such awireless capability, a Watchman in accordance with an embodiment of thedisclosure may communicate with Cyber-Hub 22 over an existing vehicleconnection to the cloud. This may be performed by tunneling via a CANbus, such as CAN bus 71 or 61 to an ECU in the in-vehicle network 60that may have connectivity to the cloud. The tunnel may be implementedby reading and writing PIDs according to the Unified Diagnostic SystemStandard or by using any other protocol supported by the CAN bus.

Authentication module 47 may comprise computer executable instructionsfor authenticating a message that Watchman receives using any of variousauthentication algorithms. Authentication algorithms that may be used byauthentication module 47 may comprise for example, any of variousasymmetric key encryption algorithms, a combination of asymmetric andsymmetric key encryption algorithms, and may include authenticationalgorithms such as TLS (Transport Layer security), and PGP (Pretty GoodPrivacy). Optionally authentication module 47 is or comprises a hardwaresecurity module (HSM) for authenticating received messages. In anembodiment, authentication may be implemented so that it will not besusceptible to a “Reply Attack”, for example by including a timestamp inauthenticated data. In cases where no secure timestamp informationexists in Watchman 40A, the Watchman may initialize a clock it comprisesrandomly and securely send a “pseudo timestamp” to Cyber-Hub 22 which inturn may use the pseudo timestamp in further communications with theCyber-Hub.

FIG. 2B shows a flow diagram 100 of an example scenario of a response byWatchman 40A to a CAN message propagated over in-vehicle communicationnetwork 60 that the Watchman receives during operation in the SPM mode,in accordance with an embodiment of the disclosure.

In a block 101 Watchman 40A receives a CAN message and optionally in ablock 103 determines that the message was a message transmitted bygateway 80 and received by processor 41 via port 52 (FIG. 1B). In ablock 105 processor 41 (FIG. 2A) accesses memory 45 to process thereceived message responsive to rules in the memory and white and black,CAN message lists that are relevant to messages received via port 45. Ina decision block 107 the processor vets the 11 or 29 CAN message ID bitsof the message to determine if the message ID is valid and may beallowed ingress to high-speed bus 61.

If processor 41 determines in decision block 107 that the message ID isnot a message ID of a white list CAN message, the processor proceeds toa block 120 and determines whether or not the ID is a black list messageID. If the message is a black list message, the processor optionallyproceeds to a block 122 and blocks the message from entry to high-speedCAN bus 61. Optionally, in a block 124, processor 41 logs data relevantto the message into memory 46 for possible future uploading to Cyber-Hub22, reference, and/or analysis by the Watchman and/or the Cyber-Hub. Ina block 126 processor 41 makes a determination as to whether the messageappears to be part of a pattern of messages, for example a pattern ofrepeated identical messages or a pattern of unwarranted message, thatindicate a cyber attack.

If processor 41 determines that the message does not indicate a cyberattack, processor 41 proceeds to a block 138 to aggregate the message IDby logging the ID to a frequency histogram and/or to store the wholemessage for future uploading to Cyber-Hub 22. On the other hand ifprocessor 41 determines that the message indicates a cyber attack, theprocessor proceeds to a block 136 and controls Watchman 40A to reportreception of the message to Cyber-Hub 22 and thereafter proceed to block119 and return to block 101 to receive and process a next CAN message

If in decision block 120, processor 41 determines that the messagereceived at port 52 is not a black list message, the processoroptionally proceeds to a block 128 and determines that the message is,or may be classified as, a gray list message. In a block 130, theprocessor may determine to limit a number of messages having the samemessage ID as that of the received message from being forwarded tohigh-speed bus 61 or to limit a frequency with which the messages areforwarded to the high-speed bus. Optionally, in a block 132 processor 41logs data relevant to the message into memory 46 for possible futureuploading to Cyber-Hub 22, reference, and/or analysis by the Watchmanand/or the Cyber-Hub. And in a decision block 134 processor 41determines if the message indicates or does not indicate a cyber attack.If it appears to indicate a cyber attack, the processor optionallyproceeds to block 136 to report reception of the message to Cyber-Hub 22and proceed thereafter to block 119 and return to block 101 to receiveanother CAN message.

If in decision block 134 processor 41 determines that the messagereceived at port 52, which is classified as a gray list, does not appearindicate a cyber threat, processor 41 optionally proceeds to block 138to aggregate the message ID by logging the ID to a frequency histogramand/or to store the whole message for future uploading to Cyber-Hub 22.The processor then optionally proceeds to a block 119 to return to block101 and receive another CAN message.

If in block 107 processor 41 determines that the message received byWatchman 40A at port 52 is a white list message the processor optionallyproceeds to a block 109 and initiates inspection of data comprised inthe data portion of the message.

By way of an exemplary scenario, it is assumed that in a block 111 theprocessor determines that the data section comprises an instruction forupdating firmware in optionally the ECM (not shown) of engine controlsystem 62. Presumably, the message and instruction it comprises enteredin-vehicle network 60 via a communication interface, such as the mobilenetwork interface, comprised in telematics system 78 (FIG. 1B), thatconnects the in-vehicle communication network to communication networksoutside of vehicle 30. Prior to allowing the message to proceed tohigh-speed bus 61 and engine control system 62, processor 41 determinesin a block 113 if the message has been authenticated by authenticationmodule 47 in Watchman 40A, or in Watchman 40C, as properlycryptographically signed. If the message is improperly signed, or notsigned, processor 41 blocks the message in block 122, optionally inblock 124 logs the event of receiving the message and data relevant tothe reception in memory 46, and proceeds to decision block 126. If inblock 126 the processor determines that the message, even thoughunsigned or improperly signed does not indicate a cyber threat, theprocessor controls Watchman 40A to return to block 101 to receive a nextmessage. And if processor 41 determines that the message is a threat, itproceeds to carry out the actions in blocks 136 to 140 discussed above.

If the processor determines in block 113 that the message is properlycryptographically signed, in a block 115 the processor accesses vehiclecontext data that may be relevant to and may constrain execution of thefirmware update instruction comprised in the message. By way of example,execution of the updating instruction in the message may be constrainedby a requirement that vehicle 30 be moving at a speed less than tenkilometers per hour (kmp) and processor 30 may access context datacomprising the speed of vehicle 30. In an embodiment, the context datais accessed from memory 46 or extracted in real time from a CAN messageat a time substantially the same as a time at which the message beingvetted was received by Watchman 40A via port 52. If the context dataindicates that vehicle 30 is moving at a speed greater than 10 kmp,processor 41 proceeds to a block 117 and blocks the message frompropagating to high-speed bus 61 and engine control system 62. Theprocessor optionally proceeds thereafter to a block 119 and block 101 toreceive a next message. If on the other hand the vehicle context dataindicates that the speed of vehicle 30 is less than 10 kmp, processor 41optionally proceeds to block 118, allows the message received at port 52to propagate to high-speed bus 61 and to engine control system 62 andexecute the firmware updating instruction.

In the description of the exemplary scenario above, Watchman 40Aprotects high-speed bus 61 by preventing “cyber malice” messages frompropagating from medium-speed bus 71 to high speed bus 61 by notallowing the messages to pass through the Watchman. In an embodiment ofthe disclosure a Watchman may be connected to a portion of an in-vehiclenetwork that it protects so that it eavesdrops on the portion, andmessages, optionally, do not pass through the Watchmen to propagate toor on the portion.

For example, Watchman 40B, shown in FIG. 1B is connected to high-speedbus 61 so that it can monitor traffic on high-speed bus 61 but not sothat it can block cyber malware messages from propagating on the bus bypreventing them from passing through the Watchman. An eavesdroppingWatchman, such as “bus Watchman” 40B, blocks potentially damagingmessages propagating on portion of an in-vehicle network that itmonitors, in accordance with an embodiment of the disclosure, by“poisoning” the messages to corrupt them to an extent that they are notaccepted or used by nodes connected to the network.

FIG. 2C shows a flow diagram 150 of an example scenario of a response byWatchman 40B to a potentially damaging CAN message propagating overhigh-speed bus 61 in-vehicle communication network 60, to which theWatchmen is connected in accordance with an embodiment of thedisclosure. Except for having, optionally, only one communication port,Watchman 40B is assumed to have internal components similar to thoseshown in FIG. 2A for Watchman 4A.

In a block 152, Watchman 40B receives bits of a CAN message propagatingon high-speed bus 61. In a decision block 154 processor 41 of theWatchman vets the ID of the message to determine if it is an ID of apotentially damaging message, which advantageously should not be allowedto propagate on high-speed bus 61. For example, the ID may be the ID ofa black listed message, an ID of a message that is not appropriatelysigned, or an ID that is not known in the lexicon of acceptable IDs ofCAN messages used by in-vehicle communication network 60. If Watchman40B determines that the message should be blocked, it proceeds to ablock 171 to begin a process of poisoning and corrupting the message sothat it is unacceptable to nodes connected to high-speed bus 61. In ablock 173 Watchman 40B logs the message ID and data relevant to themessage into memory 46 for possible future uploading to Cyber-Hub 22,reference, and/or analysis by the Watchman and/or the Cyber-Hub.

In a block 175, processor 41 causes Watchman 40B to transmit a bit ontohigh-speed bus 61 that is intended to replace and corrupt the message.The CAN protocol that configures message transmission over in-vehiclenetwork 60 uses a dominant bit and a recessive bit to transmit CANmessages. The dominant bit is usually the “0” bit and the recessive bitis usually the “1” bit. If a dominant and a recessive bit aresimultaneously transmitted on a same bus of a CAN network, suchhigh-speed bus 61 in in-vehicle network 60, the dominant bit survivesand is received by nodes connected to the bus and the recessive bit doesnot survive and is not received by the nodes. In block 175 therefore,processor 41 of Watchman 40B causes the Watchman to transmit a dominantbit, optionally referred to as a “poison bit”, onto high-speed bus 61,and then optionally proceeds to a block 177 to determine if a sufficientnumber of dominant bits has been transmitted to corrupt and block theunwanted message propagating on high-speed bus 61. If in block 177processor 41 determines that Watchman 40B has not transmitted enoughpoison bits, the processor returns to block 175 and causes the Watchmanto transmit another dominant bit. Watchman 40B and its processor 41cycle through blocks 175 to 177 until in block 177 the processordetermines that a sufficient number of dominant, poison, bits have beentransmitted to destroy the message.

In accordance with the CAN protocol, an uninterrupted sequence of six ofthe same bits generates an error in a CAN message and causes the messageto be discarded by nodes receiving the message. Therefore, Watchman 40Bmay return from block 177 to block 175 at least five times to transmitat least six dominant bits on high-speed bus 61 to corrupt and destroythe message propagating on the bus, which processor 41 determined inblock 154 should be blocked.

A CAN message typically comprises a 15 bit cyclic redundancy check (CRC)code at an end of the message following eight bytes of data in a dataportion of the message. In an embodiment of the disclosure, to destroyand block a CAN message, processor 41 may operate to control Watchman40B to transmit at least one dominant bit to replace at least onepassive CRC bit of the message rather than to replace data bits of themessage. For example, Watchman 40B may transmit a dominant 0 to replacea passive 1 in the CRC to destroy and block the CAN message. Byreplacing CRC bits rather than data bits, the data bits may be stored inmemory 46 (FIG. 2A) for future analysis of the blocked message.

Following transmission of the at least six poison bits, processor 41proceeds to execute actions in blocks 179-181 similar to actionsdiscussed above with reference to FIG. 2B with respect to blocks 134 and136 to determine if the message destroyed by transmission of poison bitsis associated with a cyber attack, and to report the message toCyber-Hub 22 if it is determined to be associated with a cyber attack.If in block 179 processor 41 determines if the message is not associatedwith a cyber attack processor 41 optionally proceeds to block 183 toaggregate the message ID by logging the ID to a frequency histogramand/or to store the whole message for future uploading to Cyber-Hub 22.The processor then optionally proceeds to a block 166 to return to block152 and receive another CAN message.

If in decision block 154 processor 41 determines that instead of beingunacceptable, the message ID, is acceptable, for example because it is amessage ID of a white list message, processor 41 optionally proceeds toa block 156 to access vehicle context data for vehicle 30 that may berelevant to determining whether the message being vetted by Watchman 40Bshould be blocked. Optionally, the context data is stored as componentsof a context feature vector in memory 46.

Subsequently, in blocks 158 through 162, processor 41 proceeds to carryout an optionally bit by bit check of bits in the message propagating onhigh-speed bus 61. In block 158 processor 41 checks a first bit of themessage following the message ID bits to determine a value for the firstbit. In a decision block 160 the processor determines, optionallyresponsive to vehicle context data accessed in block 154, if the valueis defective and indicates that the message is damaged or potentiallydamaging to nodes, such as components of control systems 62-66 connectedto high-speed bus 61, and thereby to vehicle 30. If the value indicatesthat the bit is defective, processor 41 proceeds to block 171 to poisonand block the message. If the bit is determined not to be defective, theprocessor proceeds to a block 162. In block 162 processor 41 determinesif the last checked bit is a last bit in the message being vetted. If itis not the last bit, the processor returns to block 158 to check whethera next bit in the message is defective. Following checking of a last bitin the message and finding that the bits and the message are notdefective, optionally in a block 164 processor 41 allows the message andmay proceed to a block 164 to return to block 152 and receive and vet anext message.

Processor 41 may determine that a bit and thereby a message comprisingthe bit, are defective if the bit value and relevant vehicle contextdata, with or without bit values for previously checked bits indicatewith a high or degree of probability, that the message contains datadetrimental to effective, safe operation of vehicle 30. For example,assume a bit value in view of values for bits previously checked byprocessor 41 in block 158 indicates with a high degree of probabilitythat a message propagating on high speed bus 61 comprising the bitscontains an instruction to gearbox control 65 to shift to reverse. Ifthe vehicle context data for vehicle 30 indicates that the vehicle istraveling forward at 50 kph, the message is clearly out of place and maybe particularly dangerous. In such circumstances, processor 41determines that the bit is defective and that the message should beblocked.

In the detective operating mode of Watchman 40, the Watchman operates tovet data and/or computer executable instructions, hereinafter nodesoftware of various nodes, for example ECUs that are connected toin-vehicle communication network 60. In the detective mode a Watchman 40may cooperate with an agent, hereinafter a Watchman agent that may beincorporated in the node in accordance with an embodiment of thedisclosure. The Watchman agent is configured to generate a hash of atleast a portion of the node software current in the node memory whenchallenged by the Watchman with a challenge request to send the hash tothe Watchman. The challenge request made by the Watchman may vary eachtime the Watchman challenges the agent, so that the anticipated hashwill not be the same for all challenges. As a result a node will not beconfigurable by a cyber attacker to successfully answer Watchmenchallenges with a same fixed and known hash. In an embodiment of thedisclosure, the Watchman transmits the hash along with the associatedchallenge that requested the hash to Cyber-Hub 22. In an embodiment, theCyber-Hub has a copy of the node software that the node should have andcan generate a copy of the expected hash, hereinafter a hash standard,under the assumption that the node software has not been changed ortampered with relative to a correct version of the software. TheCyber-Hub compares the received hash with the hash standard and if itdiffers from the hash standard determines that the node firmware isdamaged or has been tampered with and, optionally undertakes to have thenode provided with a correct version of the firmware.

In an embodiment of the disclosure, Watchman 40 has a copy of the hashstandard or receives a copy of the hash standard from Cyber-Hub 22 andcompares the hash received from the Watchman agent with the hashstandard. If the comparison fails the Watchman alerts Cyber-Hub 22 thatthe firmware is damaged and may warrant replacement. In an embodiment ofthe disclosure, Watchman periodically polls Watchman agents inin-vehicle communication network 60 to determine if firmware that theagents monitor have been changed or tampered with.

In an embodiment of the disclosure a Watchman 40 is hosted in anoperating system of CAN in-vehicle communication network 60 and ishooked into at least one position in the operating system such as by wayof example, the CAN driver, network driver and a system call such asfork ( ), exec ( ), spawn ( ) and open ( ). In the hosted detectiveoperating mode the Watchman monitors performance of software in theoperating system by receiving information provided by the hooks. Theinformation may enable the Watchman to perform a security verificationprior to performing a potentially damaging activity on the system.

For example, the Watchman may be hosted on a QNX, Linux or an Androidoperating system, comprised by way of example in the telematics unit 78,and it may check before allowing communication traffic on in-vehiclenetwork 60 from a process that the process is a known process(verification may be done by using a certificate or by using a knownhash of contents of the image of the process in memory and/or on disk),that its code content on disk is the same as in memory, that the runningthreads are all running from the code section (and not the datasection), that all the dynamic libraries loaded into the process areknown and allowed, that the process is allowed to access the in-vehiclenetwork 60 and that the process was initialized by a known or allowedprocess and that this process is allowed to access in-vehicle network60. For example each process in the system that wishes to communicate onthe vehicle bus may be required to add a set of digitally signed rulesto the configuration of the Watchman. This signed set of rules may bepassed along to the Watchman using a designated API that the Watchmanmay expose to such processes or by placing a file containing the signedrules in the file system, next to the executable file of the relevantprocess.

Upon detecting a suspicious activity, the Watchman may block or allowtransmission of CAN messages that it generates and/or report theactivity to Cyber-Hub 22 for analysis and remedial action. A report ofthe activity to Cyber-Hub 22 may include data identifying the suspiciousactivity along with suspected binary code of the process, memory dumpsand state of its threads on relevant events.

In the override operating mode, Watchman 40 may allow securemodification of its matching rules to allow particular traffic on thevehicle bus. For example, under normal operating procedure, Watchman 40Amay not allow CAN messages from telematics unit 78 to control the EMU ofengine control 62. However, a vehicle owner may want to be able to turnon the vehicle engine from the comfort of his or her home on a coldwinter day before getting into the vehicle to drive to work. To enablethis activity, Watchman 40 may be configured to be set to the overrideoperating mode and allow the vehicle owner to turn on the engine usingthe owner's mobile phone. In an embodiment Watchman switches to theoverride mode only after receiving and verifying authenticity of arequest for the override mode with permission to turn on the engine fromthe mobile phone. Optionally, the Watchman constrains an override modeit enables responsive to a request it receives for the override mode anda type of activity for which the override mode is requested.

For example, for enabling remote turn on of the vehicle engine, Watchman40A may limit the override mode in time and/or number and/or contents ofCAN messages it will allow from telematics unit 78 to pass through tohigh-speed bus 61. Optionally, it limits the remote turn on override tofive minutes and to a number of CAN messages generally required to turnon the engine. Upon receiving an override instruction the Watchman mayadd rules to its decision tree or change its internal state to indicatethat a window of opportunity has been opened for the designatedparticular traffic. The override mode may be used for example to allowremote diagnostic sessions in the vehicle or OTA firmware updates in thevehicle. A hosted Watchman may accept application specific overrideinstructions.

A specific set of decision rules may be used to protect the vehicle frommalicious, compromised or malfunctioning 3^(rd) party OBDII dongleswhich usually only require access to one CAN segment, and usually onlyrequire limited access to this segment. For example a Watchman may beembedded in the OBDII port of a vehicle, or in a 3^(rd) party OBDIIdongle or be packaged as a standalone device that may be placed betweenthe OBDII port of the vehicle and a 3^(rd) party dongle. Such a Watchmanmay be configured to only allow messages to pass from the vehicle to thedongle and not the other way around. Optionally, such a Watchman may beconfigured to only allow the dongle to read PIDs according to theUnified Diagnostic System Standard. Optionally such a Watchman mayphysically limit the 3^(rd) party dongle only to the specific CANsegment that it required for its normal operation, for example the HighSpeed bus.

There is therefore provided in accordance with an embodiment of thedisclosure, a system for providing security to an in-vehiclecommunication network, the system comprising: a data monitoring andprocessing hub; and at least one module configured to communicate withthe hub and be connected to a portion of a vehicle's in-vehicle networkhaving a bus and at least one node connected to the bus, the modulecomprising software executable to: monitor messages in communicationtraffic propagating in the portion; identify an anomalous message in themonitored messages indicative of exposure of the in-vehicle network todamage from a cyber attack; take an action that affects the anomalousmessage in the in-vehicle network; and transmit data responsive to themessage to the hub for processing.

Optionally, the at least one module is a rule based module and thesoftware comprises: a menu of response actions that may be undertaken inresponse to identifying the anomalous message; and a set of matchingrules that may be used as, or in establishing, a criterion fordetermining a response action in the menu to be undertaken by the modulein response to receiving the message. Optionally, the matching rules andresponse actions are configured in a decision tree having branchesstored in a memory of the at least one memory. Optionally, the module isconfigured to traverse the decision tree responsive to features of theanomalous message and navigate along a branch of the decision tree thatends at the action to be undertaken by the module in response to theanomalous message. Optionally, traversing the decision tree comprisesjumping from a first to a second branch in the decision tree.Optionally, the response actions in the library comprise at least one orany combination of more than one response action chosen from: allowingthe message, blocking the message, delaying the message; limiting thefrequency of the message, logging the message into a memory comprised inthe module; changing a component of a state feature vector representinga state of the vehicle; and/or raising an alert responsive to themessage.

In an embodiment of the disclosure the matching rules comprise at leastone or any combination of more than one matching rule chosen from:determine a message ID; determine a transmission frequency at which themessage is transmitted in the portion of the in-vehicle network;determine a state of the vehicle; or determine a state of the in-vehiclenetwork.

In an embodiment of the disclosure the module is configured to transmitsignals to the portion of the in-vehicle network to which it isconnected to alter a message it monitors so that the at least one nodewill discard it.

In an embodiment of the disclosure the module is configured to switch toan override operating mode in which it enables an entity outside of thein-vehicle network to communicate with a node of the in-vehiclecommunication network.

In an embodiment of the disclosure the system has at least one agentconnected to a node of the in-vehicle communication network andconfigured to monitor the node. Optionally, the node comprises softwareresponsive to which the node performs operations and the agent isconfigured to generate a hash of at least a portion of the software.Optionally, a module of the at least one module is configured totransmit a challenge to an agent of the at least one agent requestingthat the agent transmit to the at least one module a hash of at least aportion of the node software. Optionally, the module is configured todetermine if the hash received from the agent is generated responsive toa correct version of the software. Optionally, the module is configuredto transmit the hash received from the agent to the hub for adetermination of whether or not the hash is generated responsive to acorrect version of the software.

In an embodiment of the disclosure the at least one module is configuredto accumulate and store data from a plurality of messages that itmonitors. Optionally, the module is configured to transmit the data thatit accumulates to the hub. Additionally or alternatively the module isconfigured to generate at least one histogram responsive to the data.Optionally, the at least one histogram comprises at least one messagefrequency histogram. Optionally, the at least one message frequencyhistogram comprises at least one or any combination of more than one of:a message frequency histogram of message IDs; a message frequencyhistogram of messages transmitted to or from particular nodes connectedto the in-vehicle communication network; or a message frequencycomprising particular instructions or portions of the particularinstructions.

In an embodiment of the disclosure the module is configured to transmita histogram of the at least one histogram to the hub.

In an embodiment of the disclosure the module is configured to transmita query to the hub as to whether or not the module should transmit datait has accumulated to the hub.

In an embodiment of the disclosure the hub is configured to transmit arequest to the module to send data that it has accumulated to the hub.

In an embodiment of the disclosure the hub is configured to generate andtransmit signals responsive to data the hub receives from the modulethat operate to change the software in the module. In an embodiment ofthe disclosure the at least one module comprises a plurality of modules.Optionally, the plurality of modules are connected to communicate witheach other over a wireless local network.

In an embodiment of the disclosure the module is a software module thatmay be integrated with software of a node of the in-vehicle network.

In an embodiment of the disclosure the module is a hardware modulecomprising a physical port configured to be connected to the portion ofthe in-vehicle network.

In an embodiment of the disclosure the at least one module comprises aplurality of modules, each of which is connected to an in-vehiclecommunication system of a different vehicle. Optionally, the hubreceives data from each of the plurality of modules and is configured togenerate and transmit signals responsive to data that operate to changesoftware in at least one of the plurality of modules.

There is further provided in accordance with an embodiment of thedisclosure, a system for providing security to an in-vehiclecommunication network, the system comprising: a data monitoring andprocessing hub; and at least one module configured to monitor messagesin communication traffic propagating in a vehicle's in-vehicle network,the network having a bus and at least one node connected to the bus, themodule comprising: a communication interface configured to supportcommunication with the hub; a memory having software comprising datacharacterizing messages that the at least one node transmits andreceives during normal operation of the node; at least one communicationport via which the module receives and transmits messages configured tobe connected to a portion of the in-vehicle network; a processor thatprocesses messages received via the port from the portion of thein-vehicle network responsive to the software in the memory to: identifyan anomalous message in the received messages indicative of exposure ofthe in-vehicle network to damage from a cyber attack; determine anaction to be taken by the module that affects the anomalous message; andtransmit data responsive to the anomalous message to the hub forprocessing by the hub via the communication interface.

There is further provided in accordance with an embodiment of thedisclosure, a module for providing security to an in-vehiclecommunication network having a bus and at least one node connected tothe bus, the module comprising: a memory having software comprising datacharacterizing messages that the at least one node transmits andreceives via the bus during normal operation of the node; acommunication port via which the module receives and transmits messagesconfigured to be connected to a portion of the in-vehicle network; and aprocessor that processes messages received via the port from the portionof the in-vehicle network responsive to the software in the memory to:identify an anomalous message in the received messages indicative ofexposure of the in-vehicle network to damage from a cyber attack; andcause the module to transmit at least one signal via the port to theportion of the in-vehicle network that alters the anomalous message sothat the at least one node will discard it.

There is further provided in accordance with an embodiment of thedisclosure, Apparatus for providing security to an in-vehiclecommunication network having a bus and at least one node connected tothe bus and having software responsive to which the node performsoperations, the apparatus comprising: a first module configured to beconnected to the at least one node and generate and transmit a hash ofat least a portion of the node software in response to receiving achallenge; and a second module configured to be connected to thein-vehicle network and transmit a challenge to the first modulerequesting that the first module generate and transmit a hash of the atleast a portion of the node software to the second module; wherein thesecond module is configured to determine if the hash received from thefirst module is generated responsive to a correct version of the nodesoftware.

There is further provided in accordance with an embodiment of thedisclosure an in-vehicle communication network comprising: a bus and atleast one node connected to the bus a an in-vehicle network operatingsystem (OS) that manages OS processes, a secondary memory in whichprocess codes for the processes are stored, and a primary memory, intowhich the OS loads a copy of a process code of a process to enable aprocessor to run the process and execute the process code; and a modulehosted in the OS and having a hook in at least one position of the OSthat provides information to the module responsive to operation of theOS that the module processes in accordance with executable instructionsthat the module comprises to determine if the in-vehicle OS is operatingproperly. Optionally, the at least one position in the OS comprises atleast one or any combination of more than one of: a fork ( ), exec ( ),spawn ( ), or open ( ).

Additionally or alternatively processing the information comprisesdetermining if a copy of a process code in the primary memory being runby the processor and generating communication messages for transmissionvia the in-vehicle communication network is a copy of process code of aknown process. Optionally, processing the information comprisesdetermining if the copy of the process code in the primary memory beingrun by the processor is substantially the same as the copy of theprocess code in the secondary memory. Additionally or alternativelyprocessing the information comprises determining if all running threadsof the process code in primary memory are running from the code sectionof the copy of the process code and not from data stored in the primaryor secondary memory. In an embodiment of the disclosure processing theinformation comprises determining if all dynamic libraries associatedwith the process code being run from the primary memory are known andallowed. In an embodiment of the disclosure processing the informationthe OS is an OS chosen from the group consisting of: QNX, Linux, or anAndroid OS.

In an embodiment of the disclosure, the module executable instructionsand/or data are configured to: monitor messages in communication trafficpropagating in the in-vehicle network; identify an anomalous message inthe monitored messages indicative of exposure of the in-vehicle networkto damage from a cyber attack; and take an action that affects theanomalous message in the in-vehicle network.

Optionally, the module is a rule based module and comprises: a menu ofresponse actions that may be undertaken in response to identifying theanomalous message; and a set of matching rules that may be used as, orin establishing, a criterion for determining a response action in themenu to be undertaken by the module in response to receiving themessage.

Optionally, the matching rules and response actions are configured in adecision tree having branches and the module is configured to traversethe decision tree responsive to features of the anomalous message andnavigate along a branch of the decision tree that ends at the action tobe undertaken by the module in response to the anomalous message.

Additionally or alternatively, the response actions in the librarycomprise at least one or any combination of more than one responseaction chosen from: allowing the message, blocking the message, delayingthe message; limiting the frequency of the message, logging the messageinto a memory comprised in the module; changing a component of a statefeature vector representing a state of the vehicle; and/or raising analert responsive to the message.

In an embodiment of the disclosure, the matching rules comprise at leastone or any combination of more than one matching rule chosen from:determine a message ID; determine a transmission frequency at which themessage is transmitted in the portion of the in-vehicle network;determine a state of the vehicle; or determine a state of the in-vehiclenetwork.

There is further provided in accordance with an embodiment of thedisclosure a system comprising: a data monitoring and processing hub; aplurality of in-vehicle communication networks each configured tocommunicate with the hub and transmit to the hub data responsive to theOS if the module determines that the OS is not operating properly.Optionally, the hub is configured to process data received from anin-vehicle network of the plurality of in-vehicle networks to generateand transmit signals to at least one of the plurality of in-vehiclenetworks that changes the executable instructions in the in-vehiclenetwork's module.

In the description and claims of the present application, each of theverbs, “comprise” “include” and “have”, and conjugates thereof, are usedto indicate that the object or objects of the verb are not necessarily acomplete listing of components, elements or parts of the subject orsubjects of the verb. And unless otherwise stated, adjectives such as“substantially” and “about” modifying a condition or relationshipcharacteristic of a feature or features of an embodiment of thedisclosure, are understood to mean that the condition or characteristicis defined to within tolerances that are acceptable for operation of theembodiment for an application for which it is intended. In addition theword “or” is considered to be the inclusive “or” rather than theexclusive or, and indicates at least one of, or any combination of itemsit conjoins.

Descriptions of embodiments of the invention in the present applicationare provided by way of example and are not intended to limit the scopeof the invention. The described embodiments comprise different features,not all of which are required in all embodiments. Some embodimentsutilize only some of the features or possible combinations of thefeatures. Variations of embodiments of the invention that are described,and embodiments comprising different combinations of features noted inthe described embodiments, will occur to persons of the art. The scopeof the invention is limited only by the claims.

The invention claimed is:
 1. An in-vehicle communication networkcomprising: a bus and at least one node connected to the bus; anin-vehicle network operating system (OS) that manages OS processes, toenable a processor to run the processes and execute their respectiveprocess codes; and a module hosted in the OS that is configured tomonitor the OS and vet a process that the OS enables for running by aprocessor to determine if the process is potentially damaging.
 2. Thein-vehicle communication network according to claim 1 wherein the moduleis configured to prevent the process from having access to the networkbus if the process is determined to be potentially damaging.
 3. Thein-vehicle communication network according to claim 1 wherein the modulehas a hook in at least one position of the OS that provides informationto the module responsive to operation of the OS that the moduleprocesses to monitor the OS, the at least one position comprising atleast one or any combination of more than one of: a fork ( ), exec ( ),spawn ( ), or open ( ).
 4. The in-vehicle communication networkaccording to claim 3 wherein processing the information comprisesdetermining if all running threads of the process code being run arerunning from the code section of the process code.
 5. The in-vehiclecommunication network according to claim 1 wherein vetting the processcomprises determining if a copy of a process code of the process beingrun by the processor is a copy of process code of a known process. 6.The in-vehicle communication network according to claim 5 whereindetermining if the copy is a copy of a known process comprisesdetermining validity of a digital signature associated with the process.7. The in-vehicle communication network according to claim 5 whereinvetting the process comprises determining if the copy of the processcode being run by the processor is substantially the same as the copy ofthe process code in a secondary memory comprised in the in-vehiclenetwork in which process codes for the processes are stored.
 8. Thein-vehicle communication network according to claim 7 wherein vettingthe process comprises determining if all dynamic libraries associatedwith the copy of the process code being run are known and allowed. 9.The in-vehicle communication network according to claim 1 wherein the OSis an OS chosen from the group consisting of: QNX, Linux, or an AndroidOS.